Adobe confirms stolen passwords were encrypted, not hashed

Researchers have revealed, and Adobe has confirmed, that the millions passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them.

In a statement to CSO, confirming details revealed by Ars Technica on Friday, Adobe says that the passwords stolen during the breach in October were not hashed as originally assumed by many, but they were encrypted, meaning that Adobe engineers were (at one time) not following best practices when it comes to passwords.

For password storage and protection, the general best practice is to use an algorithm designed for password protection, the top options being bcrypt, scrypt, PBKDF2, or SHA-2. The reason for using such algorithms for password protection is the fact that, when implemented, they make brute-force cracking attempts nearly impossible. The difficulty is compounded when they are hashed with a long, per-user salt -- creating what is commonly known as a salted hash. In fact, when passwords are not properly hashed, any organization being graded against the OWASP Top 10 will immediately run afoul of item A6, Sensitive Data Exposure.

Adobe says that they've followed best practices for password storage and protection for more than a year now, as their authentication systems were upgraded to use SHA-256, with salt, to protect customer passwords. However, this upgraded system was not what the attackers hit.

"This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored," Adobe spokesperson, Heather Edell told CSO.

The use of Triple DES (3DES) to protect passwords goes against traditional best practices, because depending on how the passwords are encrypted, if an attacker can guess the keys, the passwords can and will be recovered. However, attacking 3DES directly isn't easy. So while Adobe's methods haven't made things terribly convenient for those attempting to crack the stolen list of passwords, they haven't made it impossible either.

Already, passive examinations of the list with more than 130 million Adobe accounts has turned out some interesting data. Jeremi Gosney, from Stricture Consulting Group, was able to compile a Top 100 list of common passwords due to several key bits of data.

"We do not (yet) have the keys Adobe used to encrypt the passwords of 130,324,429 users affected by their most recent breach. However, thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint, this is not preventing us from presenting you with this list of the top 100 passwords selected by Adobe users," Gosney wrote.

According to the Top 100 list, nearly 1.9 million accounts used '123456' as their password, with more than 440,000 accounts opting to go with '123456789' instead. After that, 'password,' 'adobe123,' and '12345678,' rounded out the top five.

Based on the list, many of the accounts exposed during the breach likely used a throwaway password, on the basis that their Adobe account wasn't important. However, people are creatures of habit, and the fear is that password recycling could be an issue given that email addresses were also exposed.

If you'd like to check and see if your email address is in the list of compromised Adobe data currently circulating online, you can go here to do so. As a rule, if your email was exposed, change your passwords and be skeptical of any communications referencing the Adobe breach.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.